pki-val - Certificate validation using Reflection PKI Services Manager
pki-val cert-path [-b path] [-d level] [-h] [-t host] [-u user] [-V] [-w]
Validates a certificate to a running instance of Reflection PKI Services Manager, which provides X.509 validation services. The Reflection PKI Services Manager service must be running on the same computer. For information about configuring and launching this service, see pki_config(5) and pkid(8).
Note: The certificate validation test applies only to end-entity certificates, not CA certificates. Valid CA-signed root and intermediate certificates will not pass the validation test.
Use cert-path to identify the certificate to validate. You can use -u, -t, or -w after the certificate name to get information about allowed identities for that certificate. For example, to determine if sample.crt is valid:
To determine if the user joe can authenticate using sample.crt:
pki-val sample.crt -u joe
-b path --baseDir path
Specifies the data directory used for PKI Services Manager configuration.
-d level --debug level
Specifies the amount of information sent to the log. Allowed values are: 'error', 'warn', 'info', 'debug', and 'trace'. The default is 'error'.
Displays a brief summary of command options.
-t host --hostName host
PKI Services Manager reads the map file(s) and reports whether the specified host is an allowed identity for the host certificate being validated.
-u user --userID user
PKI Services Manager reads the map file(s) and reports whether the specified user is an allowed identity for the user certificate being validated. If you include a server name (in the form user@server), PKI Services Manager reports on whether the user is allowed to authenticate to the specified server. If you specify only a user name, PKI Services Manager tests whether the user is allowed to authenticate with this certificate without checking for host-specific conditions.
Displays the product name and version.
-w [host] --whoAmI [host]
PKI Services Manager reads the identity map file(s) and returns a list of all allowed identities for the certificate being authenticated. If you specify a server name after this option, the list is limited to allowed users for connections to that server. If no server name is specified, PKI Services Manager doesn't check for server-specific conditions.
Copyright (C) 2013 Attachmate Corporation
pkid(8), pki_config(5), pki_mapfile(5)
Additional documentation is available online from the Attachmate documentation web page:
And from the technical note library: